Despite a growing awareness of the importance of cyber security, data breaches of all type and scope continue to strike within both the public and private sectors, with the price tag of settlements continuing to climb. And while government-related breaches have drawn the majority of the recent headlines, the hospitality industry has long been a favorite target for hackers domestic and international. Indeed, some of the largest hospitality conglomerates in the world—among them HEI Hotels & Resorts, Kimpton Hotels & Restaurants, and Omni Hotels & Resorts—have faced major breaches over the past two years.

According to the 2016 Trustwave Global Security Report, the hospitality industry is the second-most vulnerable sector (No. 1: retail) to cyber assault, accounting for 14% of all global breaches.

And yet most hospitality operators, regardless of size or business line, continue to underestimate the financial impact that a digital hack could inflict on their bottom line. Case in point: the ultimate bill for a credit card data breach. Standard cyber policies cover a range of potential costs, including legal and technical services, business interruption and the cost of notifying customers whose data may have been compromised. But there’s a hidden cost of credit card breaches that many standard cyber policies fail to cover: card replacement. That is to say, as a general rule a cardholder is responsible for paying the cost (usually $5 or $10) of canceling and reissuing a lost or stolen card. But when the need to cancel and replace is prompted by a third-party data breach, the cardholder is typically not expected to pay that fee. Who is? More often than not it’s the compromised vendor, in the form of what is essentially a fine levied by payment card industry players, e.g., Visa, Mastercard, American Express, etc. And while this figure may seem nominal on an individual basis, a breach that compromises even 100,000 transactions or identities starts to add up rather quickly. (Many breaches involved millions of individual cardholders.) Without custom coverage or language addressing this exposure, the cost is borne by the compromised business as an out-of-pocket expense.

This is just one example of the many potential gaps and land mines that may be found in boilerplate cyber policies. There are others. Coverage, for example, may vary across franchises, geographic lines or even individual bank credit card agreements. Governmental or other payment card industry fines can create additional layers of uncovered costs, as can the need for specialized public relations, e.g., crisis management or reputation repair. And, increasingly, there’s growing uncertainty about the liability obligations of cyber breaches that go beyond data theft. Which kind of policy, for example, comes into force in the event of, say, a pool drowning, thrill ride accident or physical assault that stems from a hack-induced electronic security system failure? General liability? Cyber? P&C? Litigation on such matters proceeds as you read this.

Given the complexity of issues and enormity of financial exposure, it is Crystal & Company’s belief that few if any businesses in the hospitality industry can solve their cyber insurance needs with a one-size-fits-all policy. In addition to an insurance-oriented review of every operator’s cyber security systems, this reality underscores the need for an approach to managing cyber risk that reflects a cynical appraisal of current coverage options and an awareness of the quick-changing law that governs liability. Indeed, just as cyber security is a rapidly evolving field, so too are the best practices around insuring against it.